A cybersecurity framework to protect digital critical infrastructure

We rely on our country's critical infrastructure to get to work, feed our families, and put a roof over our heads. This is true whether you drive to work over a bridge or log into work from your laptop on the kitchen table. Critical infrastructure is comprised of highways, bridges, water supply, power supply, food supply, medical facilities, telecommunications networks, and more.

[Update 7/15/13: Adding date for the next NIST workshop on critical infrastructure cybersecurity framework, which will be September 11-12 at the University of Texas at Dallas. The details will be posted here.]

Today, a large chunk of that critical infrastructure relies on digital systems of computation and communication, often referred to simply as "cyber." And it appears that the cyber side of that critical infrastructure is now under assault from folks who are up to no good. So what is being done about this state of affairs? In America, we're building a critical infrastructure cybersecurity framework.

You may recall a blog post in February about President Obama issuing an executive order to improve cybersecurity. This week that executive order will be seen in action here in the City of San Diego--home of ESET North America--where the University of California, San Diego (UCSD) and the National Health Information Sharing and Analysis Center (NH-ISAC) are hosting the 3rd Cybersecurity Framework Workshop (July 10-12, 2013, more details available here).

The agency at the helm of this workshop is the National Institute of Standards and Technology (NIST) which describes the purpose of the project as follows:

Executive Order 13636, Improving Critical Infrastructure Cybersecurity, has directed NIST to work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure. This cybersecurity framework is being developed in an open manner with input from stakeholders in industry, academia, and government, including a public review and comment process, workshops, and other means of engagement.

So NIST has been holding workshops around the country, of which this is the third, in order to get that input. You can get an idea of where things are headed by reading the Draft Outline - Preliminary Cybersecurity Framework, which was released July 1, 2013. (Don't be fooled by the short length of the document, additional material--a matrix and compendium--are available, both linked from page 3 of the draft.)

Today I met online with several of the folks organizing the San Diego event to get a better sense of what they have planned. On the first day there will be an overview of the project and the progress so far. NIST is attempting to achieve a balance between openness to input from around the country--there will be another of these events in Dallas, Texas, in September--and steady progression in development of the framework.

Then there will be sessions that drill down into what have been identified as core cybersecurity functions, currently defined as follows:

• Know – Gaining the institutional understanding to identify what systems need to be protected, assess priority in light of organizational mission, and manage processes to achieve cost effective risk management goals
• Prevent – Categories of management, technical, and operational activities that enable the organization to decide on the appropriate outcome-based actions to ensure adequate protection against threats to business systems that support critical infrastructure components.
• Detect –Activities that identify (through ongoing monitoring or other means of observation) the presence of undesirable cyber risk events, and the processes to assess the potential impact of those events.
• Respond – Specific risk management decisions and activities enacted based upon previously implemented planning (from the Prevent function) relative to estimated impact.
• Recover - Categories of management, technical, and operational activities that restore services that have previously been impaired through an undesirable cybersecurity risk event.

The next phase will consider underlying key categories and subcategories for each of these functions, and try to match them with informative references such as existing standards, guidelines, and practices for each subcategory. A spreadsheet offering examples is referenced and linked on page 4 of the draft framework.

Although online registration for the San Diego workshop is closed, it may still be possible to register at the event on Wednesday, at Mandeville Auditorium, University of California, San Diego, 9500 Gilman Drive, La Jolla, California (you can check with Angela Ellis via email at angela [dot] ellis [at] nist.gov).